This technical guide describes how to start using code signing for signing of executable files, software releases, firmware or other custom formats.
Harmful code is today a real threat to users and organizations alike, as criminal groups and even governments use malicious software to steal and monitor data, extort money or empty your bank account.
To digitally sign executable files such as applications, libraries and drivers is an important part of security whenever software is being distributed over insecure networks (internal or the Internet) or stored on untrusted media. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The most common use of code signing is to provide security when deploying software, for example installing and updating applications on your computer. The digital signature on the software is used to verify the identity of the author of the software and that the software has not been modified.
SignServer Enterprise is a secure code signing solution that allows you to keep code signing keys protected, and also provides a centrally managed and audited single service for all your code signing needs.
SignServer enables different project members or systems to authenticate and share the same protected code signing key and certificate when signing, and also provides audit records of who signed what. SignServer can also control individual code signing keys where only one person is granted authorization.
Most code signing needs are fulfilled by SignServer Enterprise, using different signers and custom plug-ins:
- Authenticode for Portable Executables (PE signing) as of SignServer Enterprise 3.6.3.
- Java (JAR signing) from 3.7.1 and Windows Installer (MSI signing) as of SignServer Enterprise 4.1.0.
- Client-side hashing and construction for Authenticode and JAR signing as of SignServer Enterprise 4.2.0.
The SignServer Manual is available in the following locations:
- In the release files as doc/htdocs/index.html.
- On a running SignServer instance on the /signserver/doc/ location: http://localhost:8080/signserver/doc/.
- On a running PKI Appliance on the /signserver/doc/ location: https://appliance.example.com/signserver/doc/.
- On the PrimeKey download server: https://download.primekey.com/docs/SignServer-Enterprise/.
- On the PrimeKey documentation site: https://doc.primekey.com/signserver.